Error 403 - locked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource

Our ad partner has Cloudflare in front of their resources at s1search.co.

When we try to load a Javascript from them at this website from our website Luxxle.com, we get the following error:

Access to XMLHttpRequest at https://www-luxxle-com.s1search.co/serp?embeddedVersion=2.9.0&embeddedOrigin=https%3A%2F%2Fwww-luxxle-com.s1search.co
from origin https://luxxle.com has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. net::ERR_FAILED 403 (Forbidden)

These are the headers on our website:

header(“Access-Control-Allow-Origin: *”);
header(“Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS”);
header(“Access-Control-Allow-Headers: Content-Type, Authorization”);
header(“Access-Control-Allow-Credentials: true”);
header(“Access-Control-Expose-Headers: Content-Length, X-JSON”);
header(“Access-Control-Max-Age: 3600”);

Is this a Cloudflare firewall issue? Are we being blocked by Cloudflare or is there a header problem on my website that will fix this?